[
https://issues.apache.org/jira/browse/HIVE-27510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Denys Kuzmenko updated HIVE-27510:
----------------------------------
Affects Version/s: 3.1.3
> Security vulnerability of hive-exec's dependency of Parquet-MR
> --------------------------------------------------------------
>
> Key: HIVE-27510
> URL: https://issues.apache.org/jira/browse/HIVE-27510
> Project: Hive
> Issue Type: Bug
> Components: Hive
> Affects Versions: 3.1.3
> Reporter: Xing Wei
> Priority: Critical
> Labels: security
>
> Hi, so there's a Parquet-MR security vulnerability reported in this [CVE
> link|[CVE - CVE-2021-41561
> (mitre.org)|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41561]].
> Given Parquet-MR is also a direct dependency of hive-exec, this impacts users
> who are leveraging this particular JAR package to achieve Parquet read and
> write capabilities.
> The latest stable release of hive-exec is 3.1.3. And according to its Maven
> POM file, the version of Parquet-MR lib that gets packaged is 1.10.0. To
> address the security issue, the version needs to be upraded to 1.12.2 or
> 1.11.2.
> We believe security is of upmost priority, which is why the priority is
> marked as critical. We've been using hive-exec to serve our customers in
> Parquet-related workloads in production. Please let us know if there's any
> plan to upgrade Parquet-MR in the near future.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
